Shortcut Switching Enhancements for NHRP in DMVPN Networks

First Published: February 27, 2006

Last Updated: November 25, 2009

Routers in a Dynamic Multipoint VPN (DMVPN) Phase 3 network use Next Hop Resolution Protocol (NHRP) Shortcut Switching to discover shorter paths to a destination network after receiving an NHRP redirect message from the hub. This allows the routers to communicate directly with each other without the need for an intermediate hop.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

DMVPN Phase 3 Networks Overview

In a DMVPN Phase 3 network, separate regional DMVPN networks are connected together into a single hierarchical DMVPN network. Spokes in different regions use NHRP to build direct spoke-to-spoke tunnels with each other, bypassing both the regional and the central hubs. When building spoke-to-spoke tunnels within a region, only the regional hubs are involved in the tunnel setup. When building spoke-to-spoke tunnels between regions, the regional and the central hubs are involved in the tunnel setup.

DMVPN Phase 3 provides improvements over a DMVPN Phase 2 network. For a DMVPN spoke-to-spoke network, the main improvements from Phase 2 are in the increased flexibility in laying out the base DMVPN network. DMVPN Phase 3 allows a hierarchical hub design whereas DMVPN Phase 2 relies on "daisy-chaining" of hubs for scaling the network. DMVPN Phase 3 also removes some of the restrictions on the routing protocols required by Phase 2 (OSPF broadcast mode and non split-tunneling). DMVPN Phase 3 is not expected to change the number of spokes that a single DMVPN hub can support but it may reduce the CPU load of the routing protocol on the hub.

Benefits of NHRP Shortcut Switching Enhancements

Cisco has developed NHRP shortcut switching model enhancements that allow for more scalable DMVPN implementations. This model provides the following benefits:

•Allows summarization of routing protocol updates from hub to spokes. The spokes no longer need to have an individual route with anIP next hop of the tunnel IP address of the remote spoke for the networks behind all the other spokes. The spoke can use summarized routes with an IP next hop of the tunnel IP address of the hub and still be able to build spoke-to-spoke tunnels. It can reduce the load on the routing protocol running on the hub router. You can reduce the load because, when you can summarize the networks behind the spokes to a few summary routes or even one summary route, the hub routing protocol only has to advertise the few or one summary route to each spoke rather than all of the individual spoke routes. For example, with 1000 spokes and one router per spoke, the hub receives 1000 routes but only has to advertise one summary route to each spoke (equivalent to 1000 advertisements, one per spoke) instead of the 1,000,000 advertisements it had to process in the prior implementation of DMVPN.

•Provides better alternatives to static daisy-chaining of hubs for expanding DMVPN spoke-to-spoke networks. The hubs must still be interconnected, but they are not restricted to just a daisy-chain pattern. The routing table is used to forward data packets and NHRP control packets between the hubs. The routing table allows efficient forwarding of packets to the correct hub rather than having request and reply packets traversing through all of the hub routers.

•Allows for expansion of DMVPN spoke-to-spoke networks with OSPF as the routing protocol beyond two hubs. Because the spokes can use routes with the IP next-hop set to the hub router (not the remote spoke router as before), you can configure OSPF to use point-multipoint network mode rather than broadcast network mode. Configuring OSPF to use point-multipoint network mode removes the DR and BDR requirements that restricted the DMVPN network to just two hubs. When using OSPF, each spoke still has all individual routes, because the DMVPN network must be in a single OSPF area but you cannot summarize routes within an OSPF area.

•Allows routing protocols such as ODR to be used and still retain the ability to build dynamic spoke-to-spoke tunnels.

•Allows for hierarchical (greater than one level) and more complex tree-based DMVPN network topologies. Tree-based topologies allow the capability to build DMVPN networks with regional hubs that are spokes of central hubs. This architecture allows the regional hub to handle the data and NHRP control traffic for its regional spokes, but still allows spoke-to-spoke tunnels to be built between any spokes within the DMVPN network, whether they are in the same region or not.

•Enables the use of Cisco Express Forwarding to switch data packets along the routed path until a spoke-to-spoke tunnel is established.

NHRP as a Route Source

To implement shortcut switching, NHRP works as a route source and installs shortcut paths, as NHRP routes, directly into the Routing Information Base (RIB). This means that shortcut paths appear as routes in the routing table and NHRP works in lieu of the routing protocol (for example, RIP, OSPF or EIGRP). The shortcut routes in the RIB are distributed into the Fowarding Information Base (FIB). When a spoke discovers a shortcut path, it adds the path as an NHRP route to its routing table. The RIB and FIB have no special behaviour for shortcut switching and shortcut routes are treated like any other route.

NHRP acts as a route producer to the RIB, but it does not function as a full routing protocol. NHRP manages the route registration, resolution, and purge messages but it does not discover or maintain NHRP neighbors, advertise NHRP routing messages, or inform the network of any network topology changes.

Consider Spoke A in Figure 1. It discovers a shortcut path to N2 via Spoke 2's tunnel (overlay) address TS2. It installs the shortcut path in its NHRP mapping table via the entry N2-PS2 (TS2) and it also adds the route to the RIB. The new route in the RIB is then distributed into the FIB and the FIB installs the corresponding adjacency TS2-PS2 in the adjacency table. The new route TS2-PS2 can now be used for forwarding. Note the consistency between the RIB, the FIB, and the adjacency table.

Figure 1 NHRP As A Route Source

Next Hop Overrides

If an NHRP route in the RIB is identical to another route (owned by another protocol) in the RIB then NHRP overrides the other protocol's next hop entries by installing shortcut next hops in the RIB. NHRP installs shortcut paths into the routing table, not as NHRP routes but as local forwarding paths. The other routing protocols continue to function as normal managing route redistribution and advertisement. NHRP only overrides local forwarding decisions by installing alternate or backup next hops into the routing table.

NHRP Route Watch Infrastructure

In a DMVPN full-mesh design, the hub creates summary routes to each of the spokes (Interior Gateway Protocol (IGP) routes). Specific NHRP shortcuts are installed at the spokes by NHRP as and when required. These shortcuts can be viewed as a refinement of the route summaries because they deal with a specific subnet while the summary routes represent super-nets. If the summary route is absent, NHRP cannot discover a shortcut path.

The summary route, or "covering prefix", governs the existence of the NHRP route in the RIB. The removal of a covering prefix in the RIB would lead to the removal of the all the corresponding NHRP routes, that were learnt via this covering prefix, from the RIB. The tracking of covering prefixes is done via the Route Watch infrastructure.

A "watched prefix" is a route that immediately precedes an NHRP route. For example, if an NHRP route is 172.16.3.0/24, then the watch-prefix corresponding to it would be 172.16.2.0/23. Each "watched prefix" and its associated "covering prefixes" are tracked by the Route Watch service. A "covering prefix" is defined as the longest matching IGP route in the RIB which is less specific than the "watched prefix". The validity of each NHRP shortcut is determined by the following events:

•If a "covering prefix" is removed so that there is no other IGP route in the RIB "covering" the watched prefix, (the watched prefix is unreachable), then the corresponding NHRP shortcut route is removed.

•If a new IGP route, which is more specific than the covering prefix but less specific than watched prefix, is installed in RIB, then it will become the covering prefix for the watched prefix. If the new covering prefix has a different next hop associated with it, the original shortcut is removed.

In summary, the validity of an NHRP route in the RIB is determined by the less specific, longest match IGP route present in the RIB. NHRP shortcuts are refinements to the routing topology, so shortcut paths are added to the RIB without modifying the routing topology.

NHRP Purge Request/Reply

When an NHRP hub replies to a resolution request, it creates a local NHRP mapping entry. The local mapping entry is a network entry for which NHRP has sent a reply. The local mapping entry maintains a list of requesters. When a network entry is modified or deleted in the routing table, NHRP is notified of the event. NHRP finds the local cache entry for the network and sends a purge request to the requesters that the network to which it previously replied has changed. The receivers of the purge message delete the corresponding NHRP mapping entry from its table and send a purge reply indicating that the purge message was processed successfully.

How to Configure Shortcut Switching for NHRP

This section contains the following procedures:

•Enabling NHRP Shortcut Switching on an Interface, page 6 (required)

•Clearing NHRP Cache Entries on an Interface, page 7 (optional)

Note By default shortcut switching on an interface is turned off. If the ip nhrp shortcut command is not configured then the DMVPN network will not use shortcut switching.

Enabling NHRP Shortcut Switching on an Interface

Perform this task to enable shortcut switching for NHRP for an interface on a router.

SUMMARY STEPS

1. enable

2. configureterminal

3. interface type number

4. ip nhrp shortcut

5. end

6. show ip nhrp shortcut

7. show ip route nhrp

8. show ip route next-hop-override

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configureterminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Router(config)# interface Tunnel 0

Enters interface configuration mode.

Step 4

ip nhrp shortcut

Example:

Router(config-if)# ip nhrp shortcut

Enables NHRP shortcut switching on an interface.

Step 5

end

Example:

Router(config-if)# end

Ends the configuration session.

Step 6

show ip nhrp shortcut

Example:

Router# show ip nhrp shortcut

(Optional) Displays only the NHRP cache entries that have an NHRP route or an NHRP next-hop override associated with them.

Step 7

show ip route nhrp

Example:

Router# show ip route nhrp

(Optional) Displays the routes added to the routing table by NHRP.

Step 8

show ip route next-hop-override

Example:

Router# show ip route next-hop-override

(Optional) Displays the NHRP next-hop overrides associated with a particular route, along with the corresponding default next hops.

Clearing NHRP Cache Entries on an Interface

Perform this optional task to clear NHRP cache entries that have associated NHRP routes and next-hop overrides on an interface on a router.

The following sample output shows the information displayed by the show ip nhrp command when a cache entry has an associated NHRP next-hop override in the RIB. Note that the flags for the entry are displayed as "router rib" and not "router candidate".

Router# show ip nhrp

10.1.1.22/32 via 10.1.1.22

Tunnel0 created 00:00:06, expire 00:02:23

Type: dynamic, Flags: router implicit

NBMA address: 10.11.11.22

10.1.1.99/32 via 10.1.1.99

Tunnel0 created 4d04h, never expire

Type: static, Flags: used

NBMA address: 10.11.11.99

172.16.11.0/24 via 10.1.1.11

Tunnel0 created 00:00:06, expire 00:02:23

Type: dynamic, Flags: router unique local

NBMA address: 10.11.11.11

(no-socket)

172.16.22.0/24 via 10.1.1.22

Tunnel0 created 00:00:05, expire 00:02:24

Type: dynamic, Flags: router rib

NBMA address: 10.11.11.22

The following example shows the output displayed by the show ip nhrp command when a cache entry has an NHRP next-hop override added to the RIB. If the corresponding cache entry has an associated NHRP next-hop override in the RIB, the flags are displayed as "router rib nho".

Router# show ip nhrp

10.1.1.22/32 via 10.1.1.22

Tunnel0 created 00:00:06, expire 00:02:23

Type: dynamic, Flags: router implicit

NBMA address: 10.11.11.22

10.1.1.99/32 via 10.1.1.99

Tunnel0 created 4d04h, never expire

Type: static, Flags: used

NBMA address: 10.11.11.99

172.16.11.0/24 via 10.1.1.11

Tunnel0 created 00:00:06, expire 00:02:23

Type: dynamic, Flags: router unique local

NBMA address: 10.11.11.11

(no-socket)

172.16.22.0/24 via 10.1.1.22

Tunnel0 created 00:00:05, expire 00:02:24

Type: dynamic, Flags: router rib nho

NBMA address: 10.11.11.22

The following example shows the output displayed by the show ip nhrp shortcutcommand. This command displays only the NHRP cache entries that have an associated NHRP route or NHRP next-hop override.

Router# show ip nhrp shortcut

172.16.22.0/24 via 10.1.1.22

Tunnel0 created 00:00:05, expire 00:02:24

Type: dynamic, Flags: router rib

NBMA address: 10.11.11.22

172.16.22.0/24 via 10.1.1.22

Tunnel0 created 00:00:05, expire 00:02:24

Type: dynamic, Flags: router rib nho

NBMA address: 10.11.11.22

The following example shows the output displayed by the show dmvpncommand. The output indicates a route installation in the attributes section of the command output.

RFCs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Not all commands may be available in your Cisco IOS XE software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.

Routers in a Dynamic Multipoint VPN (DMVPN) Phase 3 network use Next Hop Resolution Protocol (NHRP) Shortcut Switching to discover shorter paths to a destination network after receiving an NHRP redirect message from the hub. This allows the routers to communicate directly with each other without the need for an intermediate hop.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)